Re: best way to audit in vfs
On Tue, 2004-12-14 at 16:09, Timothy R. Chavez wrote:
Yes,
But you have the problem of incomplete logs. For testing purposes the
audit log should contain coherent and complete records only. What
about just adding a list_head to the audit_context and we can just add
all the necessary information about each object to that list then just
write-out on syscall exit?
As soon as you know that the object is auditable, you presumably would
like to have an audit record about it, even if the full operation
doesn't complete (in fact, if you've determined that the object is
auditable, you want to immediately verify that you can at least audit
that information; otherwise, you may need to take some emergency action
then, not after the operation has completed and it is too late). Note
that your hook functions are what is determining whether or not an audit
record should be generated (based on the object information).
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency